Wednesday, May 2, 2018

Using IoT devices for IDS applications Cont...

About a month ago I started describing the the process to use a Raspberry Pi device as an IDS. Now I continue with the process.

From this base of the installed and updated OS, to install the following applications Snort, Barnyard2, PulledPork, and WebSnort the project followed the following instructions and used the Snorter installation script that is available at the following site: https://github.com/joanbono/Snorter. Once this process was completed and configured the NIDS completed and functional. Another application that can be installed is Kismet. While an explanation of the installed applications will be listed in the project results section.

Another application that was installed was the remote desktop application, XRDP. This application which will allow remote access should it be necessary to the RPZW. However, during configuration use of the remote desktop often delayed or hampered with the downloading of application packages.

By following the installation processes on the various pages, installation of the software should fairly simple to complete.

    Listing of Sites used for the installation processes:
  • https://docs.kali.org/introduction/download-official-kali-linux-images
  • https://etcher.io/
  • https://whitedome.com.au/re4son/kali-pi/#swap
  • https://www.raspberrypi.org/downloads/.
  • https://whitedome.com.au/re4son/re4son-kernel/
  • https://docs.kali.org/general-use/kali-linux-sources-list-repositories
  • https://github.com/joanbono/Snorter

Due to the non-standard configuration of a RPZW computer system and that this project was conducted on a highly compressed time-cycle certain items. In configuration of the RPZW as a NIDS the project found that the initial off the shelf configuration of the RPZW required an additional Wi-Fi connector known as a USB “On the Go” adapter, while the OS footprint and the installation of the applications required at least a 16 GBs of disk space. In consideration of the limitations the project was a success.

The project group noted some benefits to the use of the particular OS, as the Kali Linux derivative is designed as a Penetration Testing Linux for those specializing in network security evaluations. Due to this specific intention of the distribution the project has developed a standalone tool that can provide a complete evaluation of network security. This project installed successful for use the following applications Snort, BarnYard2, WebSnort, Pulled Pork and Kismet as well as from the default installation Wireshark, a short summary of the applications is below.

Snort is as the snort.org web-page documentation states “is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks.” In the use of Snort we can monitor and detect network attacks when they are active in the network

BarnYard2 is an application that is deployed to translate the output of Snort. It is used by other applications to provide a translation service to understand the output of Snort.

PulledPork is a set of rules for usage in Snort they are provided by maintainers of Snort. The maintainers of the Snort application provide a public, a private version and a paid access version of these rule sets. The usage of the predefined ruleset provides an efficient method of automating the detection of network issues.

WebSnort is a browser based interface for displaying the output of what is referred to as a pcap file. Pcap files are the generated output produced by Snort. During analyst of Snort output WebSnort can manipulate the output files.

Wireshark is an application that be used monitor network protocols. While running Wireshark, the project can monitor the data packets traversing the network. This application can provide information on not only the packet header, but can be used to reconstruct the actual webpages that have been transferred across the network.

Kismet is used as wireless network detector, sniffer and an IDS application in itself. This application can itself work as the IDS over a wi-fi network. Similar to Wireshark and Snort it too needs the Wi-Fi chipset to allow for promiscuous mode. The application is passive in nature of its monitoring of the network. Kismet can provide a survey report for the Wi-Fi networks in the area.

Wrapping this up

The project’s efforts were focused on developing a NIDS that can serve the administrators or owners of the host network as a method of notification if there is unwelcome traffic, with the additional goals of maintaining a low entry point cost and providing efficient utilization or minimum use of power for the device, as well as providing documentation for the process.

Developed by the project efforts, was a RPZW device that is capable of using a host of applications to provide for the monitoring of the network. Installed on the device was several programs used to enable monitoring of a network. The applications included Snort, Kismet, WireShark, WebSnort, PulledPork, and BarnYard2. While all these applications alone can provide for a suitable monitoring of a network, combined these utilities offer a comprehensive ability to monitor a network.

Low cost efforts of the project can be maintained. All applications including the operating system are available as opensource software. Additionally, the device itself the RPZW was purchased for ten dollars, and accessories were available for an additional few dollars more. To further emphasize cost saving we can stress that this device also consumes very little power when in operation. The final goal of the project was to provide documentation as reference on how to replicate this endeavor. The project respectfully submits this document as that documentation. Efforts of the group within this document have been recorded.

Network monitoring tools are often thought of after an issue has been discovered. The ability for one to ensure that the network is uncompromised so that the information, passwords, credit card and other private information that is sent over that network remains confidential is also only valued after evidence that the network has been compromised is discovered. As a result, the value of a passive NIDS to monitor the network should be considered as valuable as the information that is available on that network. Likewise, the usefulness of the NIDS to monitor the network would only be noted after the network has been compromised.

As the project proceeded, the group must say that the project was not without issues. As a group, we managed to successfully overcome the issues as they arose. This project suffered from various issues from logistical, to configuration issues of the appliance.

One of the initial issues the project suffered from was the specialized hardware. Notably the as it is termed “USB On the Go” connector. This micro USB male to Female USB cable or adapter was initially ordered at the same time as the original RPZW. The first cable ordered was only arrived on July 19th, after being promised the standard 5-day delivery. After the arrival of other adapters made for the RPZW, a different “USB On the Go” cable adapter was ordered and arrived as promised two days later. While awaiting cables the group project used the time by writing disk images of various operating systems on to several micro SD cards.

Once all the cables arrived the RPZW was assembled, a second issue was discovered. This issue was the originally purchased RPZW was not operational. This was confirmed by using the a few of the already imaged micro SD cards successfully in another known good Raspberry Pi. Once this was discovered as a problem the device was returned to the store and exchanged for a working unit.

One issue was with the unfamiliarity of the group with initial RPZW, as with some distributions on with Raspberry Pi the installation can be completed on the slightly larger Raspberry PI 3b, which is 64-bit, the Micro SD card with the installed and configured OS could be simply transferred and updated on the RPZW. An initial selection of OpenSUSE as the OS was in error as that distribution no longer supports 32-bit hardware. Eventually, it was determined that a modified version of Kali Linux can be used on the RPZW and was installed on the RPZW.

The final issue encountered was during the first installation of the software. The first installation of the OS and supporting application was made on an 8 GB micro SD. After installation and upgrading of the base applications, the project suffered from a lack of space on the flash memory card. A larger 16 GB flash memory card was used and the installation of all applications was completed.

A small amount of changes would be made if the project was to be repeated by this group. First, on the ordering of parts, the group recommends ordering from vendors that are local or if the vendor has policies in place to guarantee prompt delivery of the ordered items. Another change would be that we start off with larger 16 GB micro SD cards rather than the smaller 8 GB.

Despite the issues that the project encountered during the effort. With the development of the NIDS system on the RPZW, the next step would be to install a one of the GUI interfaces Snort. One of the interfaces that can be evaluated is BASE, or Basic Analysis and Security Engine. Further another IDS service is Bro that could be installed as a comparative product. In using the RPZW as a test bed for various configurations could provide a solution to installations on more expensive hardware.

In closing there are still other opensource applications left to investigate their usefulness. However, the project was completed with the initial NIDS installed for monitor a wireless network. During the project, the group worked together to accomplish the goals, and succeeding to build a NIDS for monitoring Wi-Fi networks. Issues were overcome and dealt with as they arose. In closing this was the end of a successful project.

List o references used to build upon.

5 comments:

  1. Wow! Thanks Lee, that was a good long read.

    Privacy is very important and people need to learn how to defend it. In today’s world, data breaches, threats, attacks and intrusions are becoming highly sophisticated. Cyber criminals and hackers come up with new methods of gaining access to business and home networks, making a multi-tiered approach to network security an urgent necessity. An Intrusion Detection System (IDS) is, therefore, the most important tool to be deployed to defend the network against the high tech attacks that emerge daily. An IDS, which is a network security tool, is built to detect vulnerability exploits against a target application or computer. It is regarded as a high-end network device or software application that assists the network or systems administrators in monitoring the network or system for all sorts of malicious activities or threats. Any unusual activity is reported to the administrator using a security information and event management (SIEM) system.
    There are a wide variety of IDSs available, ranging from antivirus to hierarchical systems, which monitor network traffic.

    The most important thing is finding an IDS that will give you the protection you need within a budget that you are comfortable with

    Thanks,

    Ngozi

    Nayyar, A. (2017, April 10). The Best Open Source Network Intrusion Detection Tools.

    ReplyDelete
  2. Lee,

    Thanks for this technical post. It is very informative and hands on.
    The question I have is related to security of IoT devices that don't use WiFi but use other low-power communication protocol such as bluetooth, ZigBee, and Z-Wave. The are many IoT home automation devices that use those protocol which are not as secure as WiFi.
    How to use the tools you described with Raspberry Pi to detect and sniff suspicious network activities? Home automation devices that use different protocols but connect to a gateway in the home pose a great risk for intrusion. I have came across this product http://www.perytons.com/index.php/protocol-analyzers/bluetooth-smart/ that does network monitoring for such protocol but it is relatively expensive and not open source. It would be great if there is something that can do the same with Raspberry Pi.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Lee,

    Thanks for this technical post. It is very informative and hands on.
    The question I have is related to security of IoT devices that don't use WiFi but use other low-power communication protocol such as bluetooth, ZigBee, and Z-Wave. The are many IoT home automation devices that use those protocol which are not as secure as WiFi.
    How to use the tools you described with Raspberry Pi to detect and sniff suspicious network activities? Home automation devices that use different protocols but connect to a gateway in the home pose a great risk for intrusion. I have came across this product http://www.perytons.com/index.php/protocol-analyzers/bluetooth-smart/ that does network monitoring for such protocol but it is relatively expensive and not open source. It would be great if there is something that can do the same with Raspberry Pi.

    Safa Alshannag

    ReplyDelete
  5. Hello, Wireshark has developed a stack to read packets in the bluetooth protocol. Please check out the following link: https://wiki.wireshark.org/Bluetooth

    ReplyDelete